The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Tomcat: read-write access via setGlobalContext

Synthesis of the vulnerability 

An attacker, who is allowed to upload a malicious web application on the service, can bypass access restrictions via setGlobalContext of Apache Tomcat, in order to read or alter data.
Impacted products: Tomcat, Debian, Fedora, SiteScope, HP-UX, Snap Creator Framework, openSUSE Leap, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Oracle Virtual Directory, WebLogic, Oracle Web Tier, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this bulletin: 2/4.
Creation date: 22/02/2016.
Références of this threat: 1980693, c05150442, c05324755, cpuapr2017, cpuoct2017, CVE-2016-0763, DSA-3530-1, DSA-3552-1, DSA-3609-1, FEDORA-2016-e6651efbaf, HPSBGN03669, HPSBUX03606, NTAP-20180531-0001, openSUSE-SU-2016:0865-1, RHSA-2016:1087-01, RHSA-2016:1088-01, RHSA-2016:1089-01, RHSA-2016:2599-02, RHSA-2016:2807-01, RHSA-2016:2808-01, SUSE-SU-2016:0769-1, SUSE-SU-2016:0822-1, USN-3024-1, VIGILANCE-VUL-18999.

Description of the vulnerability 

The Apache Tomcat product can execute a web application from an untrusted source with a Security Manager.

However, a malicious application can use ResourceLinkFactory.setGlobalContext() to inject a context in another application, and access to its data.

An attacker, who is allowed to upload a malicious web application on the service, can therefore bypass access restrictions via setGlobalContext of Apache Tomcat, in order to read or alter data.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability alert impacts software or systems such as Tomcat, Debian, Fedora, SiteScope, HP-UX, Snap Creator Framework, openSUSE Leap, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Oracle Virtual Directory, WebLogic, Oracle Web Tier, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this computer threat alert is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this security vulnerability.

Solutions for this threat 

Apache Tomcat: version 8.0.32.
The version 8.0.32 is fixed:
  http://tomcat.apache.org/download-80.cgi

Apache Tomcat: version 7.0.68.
The version 7.0.68 is fixed:
  http://tomcat.apache.org/download-70.cgi

Apache Tomcat: version 6.0.45.
The version 6.0.45 is fixed:
  http://tomcat.apache.org/download-60.cgi

Debian: new tomcat6 packages.
New packages are available:
  Debian 7: tomcat6 6.0.45+dfsg-1~deb7u1

Debian: new tomcat7 packages.
New packages are available:
  Debian 7: tomcat7 7.0.28-4+deb7u4
  Debian 8: tomcat7 7.0.56-3+deb8u2

Debian: new tomcat8 packages.
New packages are available:
  Debian 8: tomcat8 8.0.14-1+deb8u2

Fedora 22: new tomcat packages.
New packages are available:
  Fedora 22: tomcat 7.0.68-3.fc22

HPE SiteScope: patch.
A patch is indicated in information sources.

HP-UX: version D.7.0.68.01.
The version D.7.0.68.01 is fixed:
  https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWST706801

IBM TADDM: patch for Tomcat.
A patch is indicated in information sources.

NetApp Snap Creator Framework: patch for Tomcat.
A patch is available:
  https://mysupport.netapp.com/NOW/download/software/snapcreator_framework/4.3P1/

openSUSE Leap 42.1: new tomcat packages.
New packages are available:
  openSUSE Leap 42.1: tomcat 8.0.32-5.1

Oracle Fusion Middleware: CPU of April 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2228898.1

Oracle Fusion Middleware: CPU of October 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2296870.1

Red Hat JBoss Web Server: version 2.1.2.
The version 2.1.2 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=distributions&version=2.1.2

Red Hat JBoss Web Server: version 3.0.3.
The version 3.0.3 is fixed.

RHEL 7: new tomcat packages.
New packages are available:
  RHEL 7: tomcat 7.0.69-10.el7

SUSE LE 12: new tomcat packages.
New packages are available:
  SUSE LE 12 RTM: tomcat 7.0.68-7.6.1
  SUSE LE 12 SP1: tomcat 8.0.32-3.1

Ubuntu: new tomcat packages.
New packages are available:
  Ubuntu 16.04 LTS: libtomcat7-java 7.0.68-1ubuntu0.1
  Ubuntu 15.10: libtomcat7-java 7.0.64-1ubuntu0.3
  Ubuntu 14.04 LTS: libtomcat7-java 7.0.52-1ubuntu0.6
  Ubuntu 12.04 LTS: libtomcat6-java 6.0.35-1ubuntu3.7
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides networks vulnerabilities bulletins. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.